Today the National Counterintelligence and Security Center (NCSC) and the Department of Defense’s Center for Development of Security Excellence (CDSE) published a risk mitigation guide to help organizations in the food industry understand insider risks, establish insider risk programs, and develop mitigation strategies. The “Insider Risk Mitigation Programs: Food and Agriculture Sector Implementation Guide” was developed in collaboration with federal partners and stakeholders, including the FDA.
The Fall edition of the 2021 Food Safety Consortium Virtual Conference Series will feature an episode on Food Defense Strategies | Register Now“Organizations in the food and agriculture sector play a critical role in protecting public health and safety, as well as U.S. economic and national security,” said NCSC Acting Director Michael Orlando in an NCSC press release. “This guidance is designed to help these entities create effective programs to deter, detect, and mitigate potential insider threats before they can cause harm.”
The guide includes links to federal resources in food and agriculture, and case studies concerning food adulteration, IP theft and active shooter incidents that were carried about by insiders. Any organization can be exposed by an insider threat, which is a person who has authorized access and uses it to commit harm to the organization. “Those with authorized access to facilities, personnel, or information can include employees, vendors, partners, suppliers, or others,” according to NCSC. “Most insider threats exhibit risky behavior prior to committing negative workplace events. If identified early, many insider threats can be mitigated before harm to the organization occurs.”
Insider threats can target food organizations through food adulteration, food fraud, theft and workplace violence.
Current events and external threats to food and agriculture
Case studies and lessons learned in food defense
Insider threat mitigation
Resources for food and beverage manufacturers
Featured speakers include Jason Bashura, PepsiCo (session moderator); April Bishop, Treehouse Foods; Ben Miller, The Acheson Group; Frank Pisciotta, BPS, Inc.; Joel Martin, Cargill; James Nasella, Tate & Lyle; Scott Mahloch, Cassandra Carter, and Kevin Spradlin, FBI; Rob Odell – National Insider Threat Task Force; Sarah Miller – Carnegie Mellon/CERT; Rebecca Morgan, Center for the Development of Security Excellence
The event begins at 12 pm ET on Thursday, November 12. Haven’t registered? Follow this link to the 2020 Food Safety Consortium Virtual Conference Series, which provides access to 14 episodes of critical industry insights from leading subject matter experts! We look forward to your joining us virtually.
Yesterday marked the beginning of the 2020 Food Safety Consortium Virtual Conference Series. Episode 1 featured Food Defense Foundational Planning Elements: Strategies, Insights and Best Practices. Led by Jason Bashura, senior manager, global defense at PepsiCo, food defense experts from manufacturing, retail and the government shared different perspectives on the FSMA Intentional Adulteration rule; how to develop a food defense plan; the key role that food safety culture plays in food defense; education and training; and establishing awareness of and combating various threats to the food supply, including the insider threat.
Especially eye-opening was the information presented by Robert Norton, Ph.D. of Auburn University about the threats against the food supply (a “target-rich environment”) and the range of adversaries and their motivation for disrupting the food supply.
With significant clusters of COVID-19 infection among employees—16,000 cases and 86 deaths documented by the CDC through May 2020 — the food processing and distribution industry faces significant challenges in reopening their facilities and ramping up to full capacity. Technology for health and safety access governance and intelligence, along with guidelines from the CDC and OSHA, can help support food companies in the automation of certain compliance activities and a safe return-to-work strategy.
Designated part of the essential critical infrastructure by the federal government at the onset of the pandemic in the spring of 2020, the food supply chain needs active solutions to protect its workforce. But there’s more to this back-to-work transition. Workers need to feel safe and trust that new security, safety and compliance processes have their best interests in mind—transferring to an overall positive experience with their employer.
In the age of contagion, the food industry requires ways to communicate better with the workforce, identify and isolate areas of contagion and also deal with the lingering presence of potential bioterrorism, insider threat and cyber-attack. It’s a multi-faceted and complex workspace we’re reentering, one that takes coordination of technology, people and processes. Without it, food suppliers risk plant shutdowns and loss of business continuity.
Bioterrorism and insider threat remain an active part of the supply chain landscape. In fact, according to a June 2020 Wall Street Journal Pro Research Survey of cybersecurity executives at nearly 400 companies, 67% were concerned about malicious insiders. Remote workers and lax controls have exacerbated the situation and rising threats include malicious employees, accidental negligence, contractor or vendor misuse and account compromise.
The Landscape of Collaboration
The ongoing coordination between human resources (HR) and security is a collaborative effort that bolsters food defense in a COVID-19 world. Fueled by digital transformation, converged physical security and HR management solutions are wound together tightly in a coordinated and analytical approach to keep food industry employees safe and operations running smoothly.
These departments, once siloed and co-existing without direct interaction, are benefiting from software’s move to the cloud and open operating platforms, which provides increased opportunity for real-time integration of HR, security and facilities technologies. Moving to a converged approach across all departments, including HR, IT/cyber and operational technology (OT)/SCADA—can effectively secure our most critical food production and distribution resources while actively enforcing compliance and company policies, including COVID-19 mandates. In addition, physical security access governance, in a holistic manner, protects food industry workers and processes from compromised identities, systems and insider threats.
HR and physical security now have the ability to share data-insights to prevent, detect and mitigate the spread of contagions. With this convergence, organizations have the information they need to actively defend and protect the workforce, focusing on the human side of security to yield a positive experience.
Enabling a Safe and Healthy Return to Work
This time of unprecedented change has triggered a tectonic shift in the way organizations have been dealing with the health, security and safety of their workforce. Sensing a coming tsunami, HR, corporate real estate and physical security leaders are realizing that they must stop operating in silos and embrace a holistic approach. Enterprise response and recovery plans have become a major catalyst for converged security, as it has proven to be the most effective way to manage workspace access, enforce workforce security, safety and privacy.
Reopening with Technology at Your Back
Physical identity access management (PIAM) software, including visitor identity management (VIM) are convergence platforms that deliver identity and access governance, health and safety intelligence and compliance validation across the enterprise. PIAM provides a safer work environment by managing physical, logical and operational technology access for employees and visitors, actively enforcing company policies, compliance and industry regulations with built-in best practices and regulatory controls. Automated policy-driven background checks yield real-time vetting of visitors, contractors and employees while validating and identifying any policy violations. PIAM and VIM keeps facilities and workers safe, making sure the employees and visitors only have access to the areas, data and assets they need, including vital food processing areas where deliberate sabotage needs to be kept at bay.
While prevention of bioterrorism and insider threat is ongoing at food distribution, production and processing facilities there’s been a notable shift during the pandemic that focuses on the health and safety of workers. Security is no longer simply about keeping the bad guys out; it’s about safety and protecting workers from unsafe behavior.
Workforce health and safety access governance software solutions help organizations open safely in a frictionless, controlled and secure way by automating and enforcing COVID-19 related policies and procedures. Automated batch email/text notifications with self-service links send requests to the remote workforce for self-attestation and self-reporting offsite and enable access by the worker to the facility based on health, travel and other company policies.
Here’s how it works: An employee completes the self-reporting health and travel questionnaire through a mobile app, which triggers automated workflows based on those answers. These health questionnaires collect data and document employee activity during lockdown, including infection, symptoms or exposure. The employee’s self-attestation request comes to the manager for action, and based on answers the worker is considered high risk and per policy their access to the facility is revoked for 14 days while they are in quarantine. A similar self-attestation and workflow then applies to reinstatement for the employee. This reporting and workflow can be configured specifically to the facility. Enterprises can further customize their visitor identity management to provide clear communication of current policies during the outbreak, reinforcing WHO best practices.
Focus on Health and Safety
Health and safety access governance and intelligence provides prescreening support of workforce site entry with automated policy enforcements. Pre-registered and onsite visitors/contractors check-in/check-out with prescreening, watch list and other checks prior to access. In the production or distribution facility, health and safety analytics track confirmed or potentially exposed COVID-19 workers, identify exposed areas for lockdown and/or sanitization, social distancing violation, location heat map and other actionable health & safety analytics.
PIAM also allows you to automate your communications and deliver clear expectations and procedures to your workforce, visitors and contractors pre-visit and onsite—adding to a seamless experience.
Security convergence delivers a comprehensive, holistic solution across the entire food value chain, from sourcing to production to retail distribution. Human resources and physical security have teamed up—yielding real-time data that can prevent, detect and mitigate the spread of contagions. With this convergence comes greater situational awareness that defends and protects the workforce, with a strong focus on safety and building trust between worker and employer.
Food defense is the effort to protect food from intentional acts of adulteration where there is an intent to cause harm. Like counterterrorism laws for many industries, the IA rule, which established a compliance framework for regulated facilities, requires that these facilities prepare a security plan—in this case, a food defense plan—and conduct a vulnerability assessment (VA) to identify significant vulnerabilities that, if exploited, might cause widescale harm to public health, as defined by the FDA. Lessons learned during the conduct of food defense vulnerability and risk assessments and the preparation of the required food defense plan are detailed throughout this three-part series of articles. Part I of this series is intended to assist facilities that have not yet conducted vulnerability assessments or wish to review those already conducted, by leveraging lessons learned from assessments conducted for the largest and most complex global food and beverage facilities.
Lesson 1: VA outcomes are greatly enhanced if a physical security professional is consulted. In support of this contention, there are several physical security mitigation strategies, which can be employed to support a food defense program, that are frequently under-utilized and are not optimally managed by non-security staff. Also, the FDA seems to promote the use of cameras even though this equipment is unlikely to prevent an incident of intentional adulteration. For organizations that choose to use video surveillance, a competent security professional can help organizations engineer and operate video surveillance for maximum benefits and to meet challenging record-keeping requirements when this mitigation strategy is included in a food defense plan.
Lesson 2: Given the focus by the FDA on the insider, a formal insider threat detection program is highly recommended. Trying to promote the common, “See Something, Say Something” strategy may not be enough. For example, if employees are not clearly told what to look for in terms of uniform requirements, how to identify persons who do not belong or changes to a coworker’s baseline behavior, which may indicate moving toward a path to violence or sabotage, then “See Something, Say Something” may end up being no more than a catchy slogan.
A key element of an insider threat detection program is the completion of effective background checks for all persons who will be allowed in the facility unescorted. This includes temporary employees and contractors. A common theme in many of the recent, serious intentional adulteration incidents was that the person responsible was involved in some sort of grievance observable to coworkers and supervisors. In all insider threat detection programs, the grievance becomes an important trip wire. The Carnegie Mellon University Software Engineering Institute has published a document titled, “Common Sense Guide to Mitigating Insider Threats, Sixth Edition”. In this document is some particularly helpful guidance that can be used to stand up an insider threat detection program, but this is an effort that can take some time to fully implement.
Lesson 3: The FDA has made it abundantly clear that they believe the focus for the food and beverage industry should be the radicalized insider. A closer look at all the recently publicized contamination events suggests that there are other profiles that need to be considered. A good foundational model for building profiles of potential offenders can be found in the OSHA definitions for workplace violence offenders, which has been expanded to address ideologically based attacks. Table I applies those descriptions to the food and beverage industry, with an asterisk placed by those offender profiles that exist in recent incidents and discussed later in the text.
OSHA Workplace Violence Offender Description
Motivation Translated to the Food and Beverage Industry
The offender has no legitimate relationship to the business or its employee(s). Rather, the violence is incidental to another crime, such as robbery, shoplifting, trespassing or seeking social media fame.
Behavioral Health Patient *
Social Media Fame Seeker *
Economic motivation *
The violent person has a legitimate relationship with the business—for example, the person is a customer, client, patient, student, or inmate—and becomes violent while being served by the business, violence falls into this category.
My load isn’t ready, you are costing me money
The offender of this type of violence could be a current employee or past employee of the organization who attacks or threatens other employee(s) in the workplace.
I am upset with a coworker and adulterate to create problems for that person *
I am upset with the company and adulterate as retribution and to harm the brand *
I am not paid enough *
The offender may or may not have a relationship with the business but has a personal (or perceived personal) relationship with the victim.
I am upset with an intimate partner/ coworker and adulterate to create problems for that person
Ideological workplace violence is directed at an organization, its people, and/or property for ideological, religious or political reasons. The violence is perpetrated by extremists and value-driven groups justified by their beliefs.
Table I. A description of OSHA workplace violence offenders and how it can be applied to the F&B industry.
A supermarket in Michigan recalled 1,700 lbs. of ground beef after 111 people fell ill with nicotine poisoning. The offender, an employee, mixed insecticide into the meat to get his supervisor in trouble. In Australia, the entire strawberry industry was brought to its knees after a disgruntled supervisor “spiked” strawberries with needles. There were more than 230 copycat incidents impacting many companies. A contract employee in Japan, apparently disgruntled over his low pay, sprayed pesticide on a frozen food processing line resulting in illnesses to more than 2,000 people. A contract worker upset with a union dispute with the company at a food manufacturing plant videoed himself urinating on the production line, then uploaded the video to the Internet. Be cognizant of any grievances in the workplace and increase monitoring or take other proactive steps to reduce the risk of intentional adulteration.
Lesson 4: The IA Rule requires that every point, step and procedure be analyzed to determine if it is an actionable process step (APS). The Hazard Analysis Critical Control Point flow charts are a good starting point to comply with this element of the law but cannot be counted on completely to achieve the standard of analyzing every point, step or procedure. Critical thinking and persons familiar with the production process need to be involved to ensure that no steps are missed. Oftentimes companies modify the HACCP flow diagrams after a VA.
Lesson 5: The FDA states in the second installment of guidance (here’s the full copy) to the industry that, “There are many possible approaches to conducting a VA. You may choose an approach based on considerations such as the time and resources available and the level of specificity desired. You have the flexibility to choose any VA approach, as long as your VA contains each required component (21 CFR 121.130).”
The FDA further states that the Key Activity Type, or KAT method, is an appropriate method for conducting a VA because it reflects consideration of the three required elements and the inside attacker. Using this methodology alone, however, can result in substantially more APS’s, which might otherwise be ruled out for practical purposes such as a lack of accessibility or a lack of feasibility to contaminate the product at a point, step or procedure. We have experienced up to a 90% decline in APS’s by utilizing another FDA recommended assessment approach, the hybrid approach, which assesses each point, step or procedure as first whether it is a KAT. Then to qualify as an APS, it must also trigger positively for public health impact, accessibility and feasibility to contaminate the product.
Organizations who have yet to execute vulnerability assessments (due July 26, 2020) or who may wish to reflect back on their existing VA’s in an effort to eliminate unnecessary APS’s should find these strategies helpful to focus limited resources to the areas where they can have the greatest effect. The next two articles in this series will cover more information on electronic access, the value of site tours, comparisons to drinking water security strategies, dealing with multi-site assessments and more. Read Part II of this series on intentional adulteration.
Strictly Necessary Cookies
Strictly Necessary Cookies should be enabled at all times so that we can save your preferences for these cookie settings.
We use tracking pixels that set your arrival time at our website, this is used as part of our anti-spam and security measures. Disabling this tracking pixel would disable some of our security measures, and is therefore considered necessary for the safe operation of the website. This tracking pixel is cleared from your system when you delete files in your history.
If you visit and/or use the FST Training Calendar, cookies are used to store your search terms, and keep track of which records you have seen already. Without these cookies, the Training Calendar would not work.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
A browser cookie is a small piece of data that is stored on your device to help websites and mobile apps remember things about you. Other technologies, including Web storage and identifiers associated with your device, may be used for similar purposes. In this policy, we say “cookies” to discuss all of these technologies.
Data generated from cookies and other behavioral tracking technology is not made available to any outside parties, and is only used in the aggregate to make editorial decisions for the websites. Most browsers are initially set up to accept cookies, but you can reset your browser to refuse all cookies or to indicate when a cookie is being sent by visiting this Cookies Policy page. If your cookies are disabled in the browser, neither the tracking cookie nor the preference cookie is set, and you are in effect opted-out.
In other cases, our advertisers request to use third-party tracking to verify our ad delivery, or to remarket their products and/or services to you on other websites. You may opt-out of these tracking pixels by adjusting the Do Not Track settings in your browser, or by visiting the Network Advertising Initiative Opt Out page.
You have control over whether, how, and when cookies and other tracking technologies are installed on your devices. Although each browser is different, most browsers enable their users to access and edit their cookie preferences in their browser settings. The rejection or disabling of some cookies may impact certain features of the site or to cause some of the website’s services not to function properly.
The use of online tracking mechanisms by third parties is subject to those third parties’ own privacy policies, and not this Policy. If you prefer to prevent third parties from setting and accessing cookies on your computer, you may set your browser to block all cookies. Additionally, you may remove yourself from the targeted advertising of companies within the Network Advertising Initiative by opting out here, or of companies participating in the Digital Advertising Alliance program by opting out here.